Buy Certificates for Squid 'man in the middle'

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Buy Certificates for Squid 'man in the middle'

angelv
Hi,

I need your advice.

I have a transparent proxy running with the self generated certificates 'myCA.pem', as it is not signed by a valid entity then I have to import the 'myCA.der' certificate in all web browsers ...

I want to know where I can buy a valid certificate that work in Squid.

PD:
The proxy is working great


----------------------------------------------------------------------------------------------
Important information for clarity (FreeBSD, squid-3.5.23 and PF):

Create self-signed certificate for Squid server

# openssl req -new -newkey rsa:2048 -sha256 -days 36500 -nodes -x509 -extensions v3_ca -keyout myCA.pem  -out /usr/local/etc/squid/ssl_cert/myCA.pem -config /usr/local/etc/squid/ssl_cert/openssl.cnf

# openssl dhparam -outform PEM -out /usr/local/etc/squid/ssl_cert/dhparam.pem 2048

Create a DER-encoded certificate to import into users' browsers

# openssl x509 -in /usr/local/etc/squid/ssl_cert/myCA.pem -outform DER -out /usr/local/etc/squid/ssl_cert/myCA.der


# edit /usr/local/etc/squid/squid.conf
...
# Squid normally listens to port 3128
http_port  3128

# Intercept HTTPS CONNECT messages with SSL-Bump
#
http_port  3129 ssl-bump intercept \
        cert=/usr/local/etc/squid/ssl_cert/myCA.pem \
        generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \
        dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem
#
https_port 3130 ssl-bump intercept \
        cert=/usr/local/etc/squid/ssl_cert/myCA.pem \
        generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \
        dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem
#
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /usr/local/etc/squid/ssl_db -M 4MB
#
acl step1 at_step SslBump1
#
ssl_bump peek step1
ssl_bump stare all
ssl_bump bump all
always_direct allow all
#
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
...

PF redirect the traffic to the Squid

# edit /etc/pf.conf
...
# Intercept HTTPS CONNECT messages with SSL-Bump
rdr pass on $int_if inet  proto tcp from any to port https \
        -> 127.0.0.1 port 3130
rdr pass on $int_if inet6 proto tcp from any to port https \
        -> ::1 port 3130
...
----------------------------------------------------------------------------------------------
--
Ángel Villa G.
US +1 (786) 233-9240 | CO +57 (300) 283-6546
[hidden email]
https://google.com/+AngelVillaG
https://angelcontents.blogspot.com

"We are all atheists about most of the gods that societies have ever believed in. Some of us just go one god further" - Richard Dawkins

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Buy Certificates for Squid 'man in the middle'

Yuri Voinov



02.02.2017 2:58, angelv пишет:
Hi,

I need your advice.

I have a transparent proxy running with the self generated certificates 'myCA.pem', as it is not signed by a valid entity then I have to import the 'myCA.der' certificate in all web browsers ...

I want to know where I can buy a valid certificate that work in Squid.
Nowhere. Due to CA's CPS.

PD:
The proxy is working great


----------------------------------------------------------------------------------------------
Important information for clarity (FreeBSD, squid-3.5.23 and PF):

Create self-signed certificate for Squid server

# openssl req -new -newkey rsa:2048 -sha256 -days 36500 -nodes -x509 -extensions v3_ca -keyout myCA.pem  -out /usr/local/etc/squid/ssl_cert/myCA.pem -config /usr/local/etc/squid/ssl_cert/openssl.cnf

# openssl dhparam -outform PEM -out /usr/local/etc/squid/ssl_cert/dhparam.pem 2048

Create a DER-encoded certificate to import into users' browsers

# openssl x509 -in /usr/local/etc/squid/ssl_cert/myCA.pem -outform DER -out /usr/local/etc/squid/ssl_cert/myCA.der


# edit /usr/local/etc/squid/squid.conf
...
# Squid normally listens to port 3128
http_port  3128

# Intercept HTTPS CONNECT messages with SSL-Bump
#
http_port  3129 ssl-bump intercept \
        cert=/usr/local/etc/squid/ssl_cert/myCA.pem \
        generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \
        dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem
#
https_port 3130 ssl-bump intercept \
        cert=/usr/local/etc/squid/ssl_cert/myCA.pem \
        generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \
        dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem
#
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /usr/local/etc/squid/ssl_db -M 4MB
#
acl step1 at_step SslBump1
#
ssl_bump peek step1
ssl_bump stare all
ssl_bump bump all
always_direct allow all
#
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
...

PF redirect the traffic to the Squid

# edit /etc/pf.conf
...
# Intercept HTTPS CONNECT messages with SSL-Bump
rdr pass on $int_if inet  proto tcp from any to port https \
        -> 127.0.0.1 port 3130
rdr pass on $int_if inet6 proto tcp from any to port https \
        -> ::1 port 3130
...
----------------------------------------------------------------------------------------------
--
Ángel Villa G.
US +1 (786) 233-9240 | CO +57 (300) 283-6546
[hidden email]
https://google.com/+AngelVillaG
https://angelcontents.blogspot.com

"We are all atheists about most of the gods that societies have ever believed in. Some of us just go one god further" - Richard Dawkins


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

--
Bugs to the Future

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

0x613DEC46.asc (2K) Download Attachment
signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Buy Certificates for Squid 'man in the middle'

Yuri Voinov

In three words:

Forget about it.

No one in the world permit you to do Man-In-The-Middle-Attack hidden from users.

CAs in the event of such certificates immediately include it in the list of untrusted. And you can give up the problems up to prison for a long time. For violation of the privacy of users. In other words, users should be aware that there is a proxy hacking HTTPS in front of them. All other tricks are illegal, at least it is contrary to ethics.

Forget about it.

I'm seriously.

02.02.2017 3:10, Yuri Voinov пишет:



02.02.2017 2:58, angelv пишет:
Hi,

I need your advice.

I have a transparent proxy running with the self generated certificates 'myCA.pem', as it is not signed by a valid entity then I have to import the 'myCA.der' certificate in all web browsers ...

I want to know where I can buy a valid certificate that work in Squid.
Nowhere. Due to CA's CPS.

PD:
The proxy is working great


----------------------------------------------------------------------------------------------
Important information for clarity (FreeBSD, squid-3.5.23 and PF):

Create self-signed certificate for Squid server

# openssl req -new -newkey rsa:2048 -sha256 -days 36500 -nodes -x509 -extensions v3_ca -keyout myCA.pem  -out /usr/local/etc/squid/ssl_cert/myCA.pem -config /usr/local/etc/squid/ssl_cert/openssl.cnf

# openssl dhparam -outform PEM -out /usr/local/etc/squid/ssl_cert/dhparam.pem 2048

Create a DER-encoded certificate to import into users' browsers

# openssl x509 -in /usr/local/etc/squid/ssl_cert/myCA.pem -outform DER -out /usr/local/etc/squid/ssl_cert/myCA.der


# edit /usr/local/etc/squid/squid.conf
...
# Squid normally listens to port 3128
http_port  3128

# Intercept HTTPS CONNECT messages with SSL-Bump
#
http_port  3129 ssl-bump intercept \
        cert=/usr/local/etc/squid/ssl_cert/myCA.pem \
        generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \
        dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem
#
https_port 3130 ssl-bump intercept \
        cert=/usr/local/etc/squid/ssl_cert/myCA.pem \
        generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \
        dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem
#
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /usr/local/etc/squid/ssl_db -M 4MB
#
acl step1 at_step SslBump1
#
ssl_bump peek step1
ssl_bump stare all
ssl_bump bump all
always_direct allow all
#
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
...

PF redirect the traffic to the Squid

# edit /etc/pf.conf
...
# Intercept HTTPS CONNECT messages with SSL-Bump
rdr pass on $int_if inet  proto tcp from any to port https \
        -> 127.0.0.1 port 3130
rdr pass on $int_if inet6 proto tcp from any to port https \
        -> ::1 port 3130
...
----------------------------------------------------------------------------------------------
--
Ángel Villa G.
US +1 (786) 233-9240 | CO +57 (300) 283-6546
[hidden email]
https://google.com/+AngelVillaG
https://angelcontents.blogspot.com

"We are all atheists about most of the gods that societies have ever believed in. Some of us just go one god further" - Richard Dawkins


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

--
Bugs to the Future

--
Bugs to the Future

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

0x613DEC46.asc (2K) Download Attachment
signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Buy Certificates for Squid 'man in the middle'

FredB
In reply to this post by angelv

From: http://wiki.squid-cache.org/Features/DynamicSslCert

"In theory, you must either import your root certificate into browsers or instruct users on how to do that. Unfortunately, it is apparently a common practice among well-known Root CAs to issue subordinate root certificates. If you have obtained such a subordinate root certificate from a Root CA already trusted by your users, you do not need to import your certificate into browsers. However, going down this path may result in removal of the well-known Root CA certificate from browsers around the world. Such a removal will make your local SslBump-based infrastructure inoperable until you import your certificate, but that may only be the beginning of your troubles. Will the affected Root CA go after you to recoup their world-wide damages? What will your users do when they learn that you have been decrypting their traffic without their consent?"

The last sentence is ambiguous the users can known, you can inform that you have been decrypting their traffic.
There is no difference (from user point of view I mean) between a well-known Root CAs or a self-signed certificate with a CA injected by a local GPO.
 
But in practice I don't how how you can do that, just hello I want a subordinate root certificates ?

FredB  
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Buy Certificates for Squid 'man in the middle'

Odhiambo Washington-4
So we can't even use the free certs from letsencrypt with Squid??

On 2 February 2017 at 11:35, FredB <[hidden email]> wrote:

From: http://wiki.squid-cache.org/Features/DynamicSslCert

"In theory, you must either import your root certificate into browsers or instruct users on how to do that. Unfortunately, it is apparently a common practice among well-known Root CAs to issue subordinate root certificates. If you have obtained such a subordinate root certificate from a Root CA already trusted by your users, you do not need to import your certificate into browsers. However, going down this path may result in removal of the well-known Root CA certificate from browsers around the world. Such a removal will make your local SslBump-based infrastructure inoperable until you import your certificate, but that may only be the beginning of your troubles. Will the affected Root CA go after you to recoup their world-wide damages? What will your users do when they learn that you have been decrypting their traffic without their consent?"

The last sentence is ambiguous the users can known, you can inform that you have been decrypting their traffic.
There is no difference (from user point of view I mean) between a well-known Root CAs or a self-signed certificate with a CA injected by a local GPO.

But in practice I don't how how you can do that, just hello I want a subordinate root certificates ?

FredB
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users



--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Buy Certificates for Squid 'man in the middle'

Amos Jeffries
Administrator
On 2/02/2017 9:49 p.m., Odhiambo Washington wrote:
> So we can't even use the free certs from letsencrypt with Squid??
>

Not for MITM / SSL-Bump no.

The very first clause of the purchase contract for the LetsEncrypt CA is:

"
By requesting, accepting, or using a Let’s Encrypt Certificate:

* You warrant to ISRG and the public-at-large that You are the
legitimate registrant of the Internet domain name that is, or is going
to be, the subject of Your Certificate, or that You are the duly
authorized agent of such registrant.
"

Meaning they can be used for explicit TLS-proxy or CDN reverse-proxy only.

If you have just used LetsEncrypt certs because of the hype about being
cheap, easy and everyone else is saying its good. I think it well worth
your time going to their site and reading that contract to which you
have bound your network.

For networks outside North America there are some legal implications
about signing judicial authority and your users method of legal redress
over to the USA government.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Buy Certificates for Squid 'man in the middle'

Amos Jeffries
Administrator
On 3/02/2017 1:43 a.m., angelv wrote:

> On Thu, Feb 2, 2017 at 4:37 AM, Amos Jeffries <[hidden email]> wrote:
>
>> On 2/02/2017 9:49 p.m., Odhiambo Washington wrote:
>>> So we can't even use the free certs from letsencrypt with Squid??
>>>
>>
>> Not for MITM / SSL-Bump no.
>>
>> The very first clause of the purchase contract for the LetsEncrypt CA is:
>>
>> "
>> By requesting, accepting, or using a Let’s Encrypt Certificate:
>>
>> * You warrant to ISRG and the public-at-large that You are the
>> legitimate registrant of the Internet domain name that is, or is going
>> to be, the subject of Your Certificate, or that You are the duly
>> authorized agent of such registrant.
>> "
>>
>> Meaning they can be used for explicit TLS-proxy or CDN reverse-proxy only.
>>
>> If you have just used LetsEncrypt certs because of the hype about being
>> cheap, easy and everyone else is saying its good. I think it well worth
>> your time going to their site and reading that contract to which you
>> have bound your network.
>>
>> For networks outside North America there are some legal implications
>> about signing judicial authority and your users method of legal redress
>> over to the USA government.
>>
>
> I have certificates for my sub-domain
>
> for example:
>
> Proxy.subdomain.domain.com
>
> I have the following files issued by Letsencrypt:
>
> ca.cer
> proxy.subdomain.domain.com.conf          proxy.subdomain.domain.com.ssl.conf
> fullchain.cer                           proxy.subdomain.domain.com.csr
> proxy.subdomain.domain.com.cer           proxy.subdomain.domain.com.key
>
> Can you use it?
> How do I make them usable for the proxy?
>

https_port 3128 \
  cert=/path/to/proxy.subdomain.domain.com.cer \
  key=/path/to/proxy.subdomain.domain.com.key \
  cafile=/path/to/fullchain.cer

That is all. No SSL-Bump or other config.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users